General

  • Target

    b19bb36e78ecdcea75709e7406b147c8dc81881feabbcb872355050b6293c8e6

  • Size

    2.6MB

  • Sample

    240625-xp7knaxbna

  • MD5

    1a9c7dc657a31ec83f663d1e58d06f3c

  • SHA1

    c06d32608eebc5255caacd5921a3baf73c002f5b

  • SHA256

    b19bb36e78ecdcea75709e7406b147c8dc81881feabbcb872355050b6293c8e6

  • SHA512

    09a0671be4d09f983138367a60bff257edb0230a52e73ae9e844a9a1fbf0c04a18f7e43082bebd8b2e80918d60d98afcd407275d89d269718208806b18d102de

  • SSDEEP

    49152:RQZAdVyVT9n/Gg0P+WhoCwypXTrcU0V2mkjSPfRpFmPgHvjD:SGdVyVT9nOgmhjXv0PfRpFmUn

Malware Config

Targets

    • Target

      b19bb36e78ecdcea75709e7406b147c8dc81881feabbcb872355050b6293c8e6

    • Size

      2.6MB

    • MD5

      1a9c7dc657a31ec83f663d1e58d06f3c

    • SHA1

      c06d32608eebc5255caacd5921a3baf73c002f5b

    • SHA256

      b19bb36e78ecdcea75709e7406b147c8dc81881feabbcb872355050b6293c8e6

    • SHA512

      09a0671be4d09f983138367a60bff257edb0230a52e73ae9e844a9a1fbf0c04a18f7e43082bebd8b2e80918d60d98afcd407275d89d269718208806b18d102de

    • SSDEEP

      49152:RQZAdVyVT9n/Gg0P+WhoCwypXTrcU0V2mkjSPfRpFmPgHvjD:SGdVyVT9nOgmhjXv0PfRpFmUn

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Drops file in Drivers directory

    • Server Software Component: Terminal Services DLL

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks